Hi, I am facing challenges where my most of the desktops and laptops are vulnerable for KB958644 patch missing.Due to this my networks are vulneranle for conficker.I am patching and cleaning the machine manually.Now i am looking for the solution in such way that when user login to domain it should crossverfiy the KB958644 patch missing status through net user logon script and deploy the patch if the same is missing.Kindly suggest any script and runas script to execute the same without password prrompting and in hidden manner.Help me to recover from situation.Thanks in advance

Hi,It's good you are being proactive about patching your systems, even if they are a bit out of date at the moment. The main problem I can see is that your systems will be vulnerable to exploitation over the network until someone logs into the domain.

I'm sure there is a better way to patch these systems, particularly if they are members of a windows domain. I'm sure someone here with a bit more windows admin experience might have something to add.

I already commented on your other post regarding similar concepts. If you insist on using a script, use a Startup (not Logon) script configured through GPOs to detect the missing patch. If you need to write the results to a central location somewhere on the Network, log your results to a temporary directory on each PC. Then configure a separate Logon script to pickup the results and output them to a Network Share. The Startup script will run under the SYSTEM account when the machine starts up. The Logon script will run under a User's account (during logon) and will have access to network shares.

You can also use some VBScript to send keys to the RunAs command. There are plenty of google hits for this. An example of such code is below:

Hi, currently i am useing ISS and MBSA scanner to detect the vulnerable systems.To work just more proactive i am trying to fix the machine as soon as they are connected to network.i generated a script to scan the system the reg file of vulnerable system but after scaning if the system is vulnerable then i need to patch the system using admin credentials with in script.that where i got stuck.I am unable to find any mechanism where i can execute the script with admin credentials on the local system.

"Microsoft Windows Server Update Services (WSUS) enables information technology administrators to deploy the latest Microsoft product updates to computers running the Windows operating system. By using WSUS, administrators can fully manage the distribution of updates that are released through Microsoft Update to computers in their network."

If your computers don't have the patch form October it sounds like there is a more systematic problem than missing one patch. I would highly suggest creating a patch management procedure and spending some money and time on something to deploy the patches.

One bugbear of mine is security systems that require you trust the client. If you install the scripts on the client (i.e. laptops) you are trusting them to audit themselves and enforce security. This spells FAIL on many levels; if the scripts are not installed, have been removed or it is an unauthorised device.

Your goal is to prevent unpatched systems hooking up to the network. All well and good, but these systems need to get their updates, right? Better to centrally enforce updates to clients with something like WSUS and having the option to block rogue devices on your switches.